SAML 2.0 SSO

To setup SAML based SSO you’ll need to be an admin and be subscribed to either Premium, Unlimited or Enterprise packages. This document does assume you are familiar with setting up SAML 2.0 SSO.

The process starts with creating a SAML 2.0 connector/application within your identity provider and then creating a corresponding integration in ProdPad

In IdP

  1. Create a new SAML 2.0 connector
  2. Enter the IdP Entity ID as https://api.prodpad.com/api/v2/sso/saml/metadata
  3. Generate a private & public key and upload the private key to the identity provider
  4. Enter the SP Entity ID as  https://api.prodpad.com/api/v2/sso/saml/metadata
  5. In the ACS entity URL field enter https://api.prodpad.com/api/v2/sso/saml/acs
  6. In the Single Logout or SLS field enter: https://api.prodpad.com/api/v2/sso/saml/sls
  7. If there is a name or label field add "ProdPad"
  8. If there is a tag field then add "prodpad"
  9. If there is an option to upload logos so your team can identify this easily, the ProdPad logos are attached at the bottom of this page. 
  10. Save the connector and copy the provided IDP URL (ie, https://sso.jumpcloud.com/saml2/prodpad)

 

In ProdPad

  1. To start go to Account Settings and select the Authentication tab.
  2. Select a identity provider from the "Add authentication service" dropdown. If your provider isn’t there then select SAML option
  3. Enter in the URL that users should be redirected to when they attempt to login from the login page in ProdPad this will be something like https://sso.jumpcloud.com/saml2/prodpad
  4. Paste the text of X.509 certificate (public key generated above) into the X.509 field
  5. If you want, enter a logout URL to which the user’s will be redirected on logout e.g. https://console.jumpcloud.com/userconsole/
  6. Enter a domain that will be used. This needs to match your domain of your email. We’ll send you an email to confirm ownership of the email.
  7. Hit save
  8. Click on the link in the email sent to finish the process of setting up the SSO

To test you can now go to the Identity providers console and click on the ProdPad app icon and you’ll be logged into ProdPad. You can then go to to https://app.prodpad.com/login and enter your email. You’ll then be shown a button to login using your IdP.

Notes

  • The domain you enter into the form must match the email domain that you are using for your own role in ProdPad. If it doesn’t match it will error
  • Each user will need to have an email that matches the entered domain otherwise they will get a "miss-matched email" error when trying to log in

Setting Up Automatic Provisioning

ProdPad supports the automatic provisioning of users from your connected directory via the IdP. The automatic provisioning does the following tasks:

  • When a new user is added to the IdP, the user is created in ProdPad assuming the user meets the set up rules within the IdP
  • When a user's role is changed in the IdP, the user's role is changed in ProdPad
  • If a user is removed from the IdP or user is remove from having access to ProdPad app in the IdP, the user is removed from ProdPad

In order for automatic provisioning to work you'll need to add a SAML attribute called ProdpadRole. The value for this attribute can be one of "reviewer", "editor" or "admin".

You don't need to allow everyone in the company access to ProdPad. Depending on how you IdP works you specify that only users with a specific tag or in a group has access to ProdPad.

Automatic Provisioning is only available for Unlimited and Enterprise plans.

In the IdP

  1. Create a custom field for the users called "ProdpadRole" that will be used to set the user's role in ProdPad
  2. Select a generic SAML connector that supports SCIM in your IdP
  3. Enter the following URLs into the respective fields:
    1. SAML Audience URL: https://api.prodpad.com/api/v2/sso/saml/metadata
    2. SAML Consumer URL: https://api.prodpad.com/api/v2/sso/saml/acs
    3. SCIM Base URL: https://api.prodpad.com/api/v2/scim
  4. Enter the following into the text field SCIM JSON template:

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:scim:prodpad:2.0:schema" ],   
"userName": "{$user.email}",   
"name": {       
"familyName": "{$user.lastname}",
"givenName": "{$user.firstname}"   
 },  
"urn:scim:prodpad:2.0:schema": {      
"role": "{$parameters.ProdpadRole}"   
 }
}

  1. In ProdPad, go to the API key tab (https://app.prodpad.com/me/apikeys) and copy the API key and paste that into the SCIM Bearer Token field.
  2. Enable the API connection if relevant for your IdP connector
  3. Enable provisioning if relevant in your IdP
  4. If you don’t want or need to always manually approve provisioning make sure you change any settings related to Creating, Updating or Deleting Users so those actions don’t require an admin approval but instead happen automatically
  5. If you want users to be deleted from ProdPad when deleted from your IdP then make sure "Delete" action in the IdP is set to delete the user in the SCIM provisioning
  6. To control the user’s role in ProdPad using the IdP you’ll need to create a custom user field/attribute/parameter that stores the role. You’ll then need to create a SAML attribute called "ProdpadRole" that is filled with the value from your custom field

In ProdPad

Configuration in ProdPad is same as with "Setting Up SAML 2.0 SSO" described above

Notes

  • The domain you enter into the form must match the email domain that you are using for your own role in ProdPad. If it doesn’t match it will error
  • Each user will need to have an email that matches the entered domain otherwise they will get a "Mis-matched email" error when trying to log in
  • The only valid values for the ProdpadRole parameter are "reviewer","editor" and "admin". If nothing is entered or something other than those 3 values are used then the person’s role in ProdPad will be defaulted to "reviewer"
  • Once the app is setup it will check users against the users in ProdPad and if the emails match OneLogin will automatically update the user’s role in ProdPad with the appropriate information so the user can immediately start using OneLogin to login to ProdPad

If the user already exists in ProdPad but doesn't have a role in your ProdPad account, then the role won’t be updated or a role created in your account. This is done to avoid potential security issues. If a user already has a role with another account in ProdPad, get in touch to resolve the issue.

Have more questions? Submit a request

Comments